Donate with
Categories
Donate with
82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC
Linux IPTables :: Create a basic secure iptables ruleset for your server which is automatically applied upon system boot (systemd)
Donate with
82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC
This small howto explains how to create a simple IPTables base script which will be executed during system bootup.
1. Create an iptables shell script
nano /opt/iptables-base.shThe content of the file is a list of IPTables rules you want to have applied on your system. We are giving some of the most common examples here. Please consider changing the name of the interface
#!/bin/sh
IFACE=eth0
## First flush all iptables rules (prepare a clean IPTables rule book)
iptables -F
## Allow basic connection to this system
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
## Allow PING (ICMP) from everywhere
iptables -I INPUT -i ${IFACE} -p icmp --icmp-type 8 -j ACCEPT
## Allow UDP Port 23 (DNS) globally on this system
iptables -I INPUT -i ${IFACE} -p udp --dport 23 -j ACCEPT
## Allow SSH (Port 22), SMTP (Port25), Web SSL (Port 443) only from specific IP networks
iptables -A INPUT -i ${IFACE} -p tcp -m multiport -s 178.31.101.0/21,181.93.82.122/27 --dports 22,25,443 -j ACCEPT
## Globally enable access to TCP port 2222 and 4444 for some reason
iptables -I INPUT -i ${IFACE} -p tcp -m multiport --dports 2222,4444 -j ACCEPT
## Set the default policy of the INPUT chain to DROP - this will cause all incoming connections to be dropped for which there's no specific exclude above
iptables -A INPUT -i ${IFACE} -j DROPNow save and close the file
(CTRL + X and enter 'y' to confirm saving)
Set execution permission on that file:
chmod +x /opt/iptables-base.sh2. Create a systemd file which will execute the above script on boot time
nano /etc/systemd/system/iptables-base.service[Unit]
Description=IPTables base configuration to be set on boot time
After=network.target
[Service]
Type=simple
Restart=no
ExecStart=/opt/scripts/iptables-base.sh
[Install]
WantedBy=multi-user.target3. Enable the service
systemctl enable iptables-base.service4. Reload the systemd daemon
systemctl daemon-reload5. Test if it works
Execute the iptables-base.sh file like this:
/opt/iptables-base.shAttention! If you are remotely accessing your system via SSH, there is a risk that you may lock yourself out. Before executing the script, please ensure that you have alternate means of accessing the system in case something goes wrong and you are unable to use SSH.
Check if the rules are written to the IPTables configuration with this command:
iptables -L -nThis should return an output like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 2222,4444
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:23
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 178.31.101.0/21 0.0.0.0/0 multiport dports 22,25,443
ACCEPT tcp -- 181.93.82.122/27 0.0.0.0/0 multiport dports 22,25,443
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination